ABSTRACT
The role of a security professional includes information security consulting. Consulting includes determining what security controls are in place, identifying control gaps, assisting lines of business in assessing risks, and recommending solutions. At the initiation of the assessment, the security professional might have little to no information regarding the problems, products, applications, environments, or the business. The assessor might be external to the enterprise for an independent assessment or an employee for an internal evaluation. The size, complexity, and organizational structure of the enterprise can impede knowledge sharing. Individuals or groups might withhold pertinent information due to internal politics, personal agendas, or denial of responsibilities. Product manufacturers and service providers are sometimes reluctant to share details or unable due to knowledge loss. Documentation is the cornerstone of any assessment. Enterprise documentation might include policy, standards, practices, or procedures. Industry documentation might include standards, specifications, guidelines, research papers, articles, or press releases.
